Menu

JUST WHEN YOU GET YOUR HEAD AROUND GDPR, ALONG COMES “ePRIVACY”

The European Commission’s Digital Single Market Strategy (DSM) is designed to “open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy.[1]

This wide ranging strategy has achieved a number of things from the abolition of mobile roaming charges across Europe, to GDPR.

In January this year (2017) the Commission published a new proposal as part of the DSM: the snappily titled:

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 202/58/EC (Regulation on Privacy and Electronic Communications)[2].

In Muggle-speak, what this means is that a new piece of legislation is on the way to replace the existing 2002 ePrivacy Directive[3] (amended 2009), known affectionately as the “Cookie Law”, with a new ePrivacy Regulation. The European ePrivacy Directive is the piece of legislation which the UK enacted as the Privacy and Electronic Communications Regulations – PECR[4].

As we know, PECR was created to sit alongside the Data Protection Act (DPA) to specifically cover electronic communications. With the DPA itself being replaced by GDPR on May 25th 2018, it was felt that the ePrivacy Directive and PECR also needed to be beefed-up to reflect the additional scope of GDPR, and will, for electronic communications, effectively supersede GDPR.

The proposals have been amended significantly since the leak of an early draft back in December 2016, but will still have far reaching consequences which the UK Internet Advertising Bureau claims will “effectively put the future of the web as we know [it] at danger, with considerable knock-on effects on media pluralism and digital inclusion”[5]

Stronger

As might be expected, the rules will be strengthened and should ensure that all people, and businesses, in the EU enjoy the same level of protection in their electronic communications. The rules will be enforced by the same agencies responsible for enforcing GDPR, and with the same eye-watering level of financial penalty.

Over-The-Top

The proposal will apply to “new”, often called OTT (over-the-top), services such as Facebook, Facebook Messenger, WhatsApp and Skype etc. which, unlike traditional telecoms, were not previously covered by either the DPA or PECR.

Metadata

In addition to guaranteeing privacy for the content of communications, the new proposal also includes metadata, such as who made the call, the time of a call and where the call was made. Metadata could be used to track a person without their knowledge and so will now need to be anonymised or deleted if the user has not given consent; unless this information is needed for billing purposes.

Cookie Cutter

A previous change to the rules which required websites to seek permission to use cookies resulted in internet users being bombarded with consent requests. The new rule will allow browser settings to be used to provide a way to accept or refuse tracking cookies and other identifiers. Non-privacy intrusive cookies, such as shopping cart histories, do not require consent.

Consent-only Legal Basis

The current proposal cites “Consent” as the only legal basis for processing data. Unlike GDPR, there is no option, or even discussion of the possibility to use “Legitimate Interest”, other than to say that it is reasonable to allow the use of email to offer similar products and services to existing customers.

By requiring prior consent as the only legal basis, the proposal is therefore effectively banning unsolicited emails, SMS and automated calling machines.

However, it is being left up to individual nations to decide whether to protect their citizens by the use of a do-not-call list, such as the UK’s Telephone Preference Service (TPS), or simply to impose a blanket ban, as in Germany.

This latter option would have major implications for the industry and likely to be the subject of much lobbying by industry bodies such as the DMA. However, they don’t have much time as the new regulations are due to come in effect on 25th May 2018: GDPR-day!